Department of Revenue chief: No security officer for nearly a year before breach

The top man at the South Carolina Department of Revenue admitted Wednesday that the tax collection agency did not have a cyber-security expert on its staff for nearly 11 months before a hacker got into the agency’s database this year.

Jim Etter told state senators in a hearing that the agency had trouble filling the job after its previous security officer left. He said the $100,000-per-year salary was much lower than similar private sector positions. “We are not competitive to the private sector and trying to find a qualified individual into this type of position is very difficult,” Etter said in testimony Wednesday.

Etter said the agency’s chief information officer took over security duties from September 2011 until a new security officer was hired in August this year. The hacker is believed to have first attacked the system at the end of August.

Etter, who has already said he will step down as director on December 31, spoke to a special Senate Finance subcommittee that was created to investigate the hacking. The committee hopes to have a report finished by the start of the legislative session in January.

After the meeting, Sen. Kevin Bryant (R-Anderson) questioned why the Revenue Department did not act with more urgency to fill the position. He said the legislature was never approached about possibly increasing the salary of the open job, “I understand these folks make a lot of money and we’ve got to compete with the private sector, but I don’t remember someone screaming from the rooftops that we’ve got to fill this position.”

Adding to the intrigue, the agency’s Chief Information Officer Mike Garon left the department a few weeks after a new security expert was hired. The agency will not reveal why Garon left, citing personnel issues. Meanwhile, unknown to SCDOR employees, a hacker was snooping around Department of Revenue files at the time of Garon’s departure.

The hacker used a foreign IP address to remotely access the Department of Revenue’s system in August. The attacker is believed to have tricked an employee into downloading malicious software through email. That software gave the hacker access to the agency’s database via the internet. Over the next month, the hacker was then eventually able to steal the information of more than 3.8 million tax filers, plus their 1.9 million dependents and 700,000 businesses. (See what investigators believe happened)

A report released by the cyber security firm Mandiant last week revealed two vulnerabilities in the system that led to the data breach. The first was the lack of a dual-password system that would require an employee to log in with both their personal credentials and a special password they would be given that changes every minute.

The SCDOR system only required the employee credentials, which gave the hacker free rein after using malware to steal credentials from an unsuspecting employee’s computer in August. Mandiant investigator Marshall Heilman told senators that the hacker would have had difficulty cracking a two-password system.

Etter said the agency is now following Mandiant’s recommendations and creating a dual-password (also known as “multifactor authentication”) system at a cost of $25,000. But senators questioned why the agency did not invest in the system in the first place.

“This could have been prevented by very inexpensive technology,” Bryant said, “We wouldn’t be here had somebody made that decision to use the multifactor authentication. I almost fell out of my chair when I came to that conclusion.”

Lawmakers also questioned Etter about the second vulnerability cited by Mandiant— the fact that Social Security numbers were not encrypted in the database. Sen. Darrell Jackson (D-Columbia) wanted to know why Social Security and bank account numbers were unencrypted while other data was.

“I’m just baffled that we as a state did not do more. I can’t imagine what would be more sensitive than a Social Security number,” he said during the hearing.

The Department of Revenue made a decision in 2006 not to encrypt all of its data, Etter said, with officials believing a $5 million price tag was cost-prohibitive. Instead, they decided to follow IRS guidelines, which do not require encryption of tax information in servers.

However, he said his agency requested $14.4 million in last year’s budget to replace the nearly 40-year-old computer system. The budget line failed in the House. Etter said the new system would have encrypted Social Security numbers had it been approved. However, he admitted that SCDOR officials requested the new system for efficiency reasons at the time and did not portray it as a security issue.

Bryant bristled at the notion that a new system would have fixed the problem. “There was no sounding the alarm of ‘were going to get hacked unless we do this.’ This multifactor authentication could have been used in the current system whether they got the $14.4 million or not.”